Add support for Azure Instance Metadata Service (IMDS) #229
Description
Describe the bug
When trying to authenticate as a managed identity, the Azure Instance Metadata Service (IMDS) endpoint is not accepted when attempting to acquire a token. Considering how Managed Identity is used and supported on Azure, it would be beneficial to have the well-know route table (169.254.169.254) included as part of the known endpoints.
Managed Identity Documentation - https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
To Reproduce
Steps to reproduce the behavior:
- Create User-Assigned Managed Identity in Azure
- Create VM (I used DSVM on Linux) and associate Managed Identity to it
- Connect via SSH as local user
- Install MSAL with pip
- Create a python file with the following code
import msal
client_id = "<client id from managed id>"
authority = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01"
# this resource is specific to databricks
resource = "2ff814a6-3304-4ab8-85cb-cd0e6f879c1d"
scope = resource + "/.default"
app = msal.ClientApplication(client_id, authority=authority, validate_authority=False)
result = app.acquire_token_for_client(scopes=[scope])
- Run the script
Expected behavior
It would be great to get back a bearer token.
What you see instead
This is the error message:
Traceback (most recent call last):
File "msi-example.py", line 8, in <module>
app = msal.ClientApplication(client_id, authority=authority, validate_authority=False)
File "/anaconda/envs/py37_default/lib/python3.7/site-packages/msal/application.py", line 199, in __init__
self.http_client, validate_authority=validate_authority)
File "/anaconda/envs/py37_default/lib/python3.7/site-packages/msal/authority.py", line 56, in __init__
authority, self.instance, tenant = canonicalize(authority_url)
File "/anaconda/envs/py37_default/lib/python3.7/site-packages/msal/authority.py", line 125, in canonicalize
% authority_url)
ValueError: Your given address (http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01) should consist of an https url with a minimum of one segment in a path: e.g. https://login.microsoftonline.com/<tenant> or https://<tenant_name>.b2clogin.com/<tenant_name>.onmicrosoft.com/policy
The MSAL Python version you are using
Paste the output of this
python -c "import msal; print(msal.__version__)"
1.4.1
Additional context
I spoke about this with some of my friends in Identity on their Twitch office hours:
https://www.twitch.tv/videos/674589209
Also, I ran into this issue when working on another project where we needed to acquire a token before interacting with the Databricks API
https://github.com/Azure/db-dsc-jobs